OSG-SEC-2021-12-16 UPDATE on Log4J Vulnerability
The patch released to address the original vulnerability (2.15.0) was incomplete [1]. The OSG Security team recommends that all sites should update log4j to version 2.16.0 (for Java 8) or 2.12.2 (for Java 7) and implement the recommended JNDI lookup mitigation from Apache [2] where possible.
REFERENCE LINKS
[1] https://www.cve.org/CVERecord?id=CVE-2021-44228 [2] https://logging.apache.org/log4j/2.x/security.html
ORIGINAL ANNOUNCEMENT
OSG-SEC-2021-12-13 CRITICAL Severity Vulnerability in Java library Log4j
Dear OSG Security Contacts,
A new vulnerability has been found in the Java Log4j library which allows a remote attacker to execute arbitrary code on a server if the system logs an attacker-controlled string value [1]. Proof of Concept for this attack is available and it is being actively exploited. Due to the widespread nature of this vulnerability and the ease of exploitation the OSG Security Team considers this vulnerability to be of CRITICAL severity for affected systems.
IMPACTED VERSIONS:
Any java based web service running a Log4j version prior to 2.15.0.
WHAT ARE THE VULNERABILITIES:
Any java-based web service that uses log4j for logging is potentially vulnerable to a remote code execution flaw which allows a remote attacker to execute a remote payload with a simple command.
A list of known affected services is being compiled [2], at present this includes Apache Solr, Druid, Flink, as well as Logstash, ElasticSearch, and Kafka. The full attack surface has not yet been identified.
At this point we do not believe the OSG software stack, dCache, or VOMS admin to be vulnerable to this attack.
WHAT YOU SHOULD DO:
As soon as possible, identify any services running log4j affected versions and update to version 2.15.0 or higher [3][4][5].
If you are using a version older than 2.15.0 and cannot upgrade a temporary mitigation may be available [6].
REFERENCES
[1] https://www.lunasec.io/docs/blog/log4j-zero-day/ [2] https://github.com/YfryTchsGD/Log4jAttackSurface [3] https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0 [4] https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.15.0/ [5] https://logging.apache.org/log4j/2.x/download.html [6] https://www.lunasec.io/docs/blog/log4j-zero-day/#temporary-mitigation
Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team